China Cybersecurity Review Measures

The Event

Thirteen Chinese government agencies, including Cyberspace Administration of China, National Development and Reform Commission of China, and China Securities Regulatory Commission, have jointly released  new Cybersecurity Review Measures (the “New Measures”) which take effect on February 15, 2022. The New Measures replace the prior Cybersecurity Review Measures implemented on 1 June 2020.

Why It Is Important

The New Measures introduced a new requirement for Chinese companies planning to list in offshore exchanges. Article 7 of the New Measures states:

“Network platform operators who hold the personal information of 1 million users or above must apply for network national security review before going public abroad”.

According to Article 10 of the New Measures, the following risks must be reviewed from a national security perspective:

1. Whether there is a risk of critical information infrastructure being illegally controlled, disrupted or damaged after the use of products and services;
2. Whether any disruption in the supply of the relevant products and services would cause continuous harm to the critical information infrastructure operations;
3. Whether the relevant products and services are secure, open, transparent, and have multiple supply sources, whether the suppliers are reliable, and whether the supply of such products and services may be disrupted by political, diplomatic, trade and other factors;
4. Whether the product and service providers comply with Chinese laws, administrative regulations, and departmental rules;
5. Whether there is a risk that core data, important data or large amount of personal information would be stolen, disclosed, destroyed or illegally used or illegally transferred cross-border;
6. Whether the public listing of the relevant entity would present risk that foreign governments may illegally influence, control, or maliciously use any critical information infrastructure, core data, important data or large amount of personal information.
7. Whether there is a risk that critical information infrastructure, core data, important data or a large amount of personal information will be affected, controlled, or maliciously exploited by foreign governments, as well as network information security risks; and
8. Other factors that can compromise critical information infrastructure security, network security, and data security.

The cybersecurity review procedures, documents requirements and penalties for violations are also provided in the New Measures.

What It Means For You

The New Measures will add a new layer of administrative burden to data Chinese data processors listing offshore, even if they do not export data in their daily operations.

Investors in any early stage PRC based companies with plans to list offshore should endeavor to understand the cybersecurity review process, and modify their due diligence process to identify any potential risks that this review could bring and adjust valuations accordingly.

How We Can Help

If this development affects your China operation, we are happy to help you understand the content of the New Measures, and their impact on your current or future operations. Once an understanding is developed, we can also help your team design and implement Standard Operating Procedures to ensure compliance in ongoing operations and transactions.

This alert is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship.